An open reference architecture for governing autonomous AI systems in production environments.
Agentic AI needs a control plane. ACR provides six operational control pillars enforced at runtime. Learn more at https://autonomouscontrol.io/control-plane.
📖 Read the Docs | 🎯 Use Cases | 🔒 Threat Model | 🗺️ NIST Mapping | 📋 Adopt ACR
Run a runnable reference control plane that demonstrates ACR six-pillar runtime enforcement.
cd implementations/acr-control-plane
cp .env.example .env
docker-compose up --build
# Verify health
curl http://localhost:8000/acr/healthOpen the operator console at http://localhost:8000/console (Operator API key: dev-operator-key; Kill switch secret: killswitch_dev_secret_change_me).
docs/: the ACR framework specifications (the “why” and “what must be enforced”)implementations/acr-control-plane/: a runnable ACR Control Plane reference implementation (FastAPI + OPA + Postgres + Redis)implementations/: a landing page to jump straight into the control plane demo
- agentic AI governance
- runtime control plane
- policy as code
- Open Policy Agent (OPA) / Rego
- human-in-the-loop approvals
- drift detection
- kill-switch containment
- execution observability / audit evidence
The ACR Framework defines a runtime governance architecture for autonomous AI systems operating in enterprise production environments.
As AI systems evolve from static models into autonomous agents—capable of accessing data, invoking tools, and making operational decisions—traditional governance approaches centered on policy documentation and pre-deployment reviews no longer provide sufficient control.
ACR establishes architectural patterns for enforcing governance during live system operation, enabling organizations to maintain control over AI behavior in production.
Traditional AI governance programs focus on design-time controls:
- Policy frameworks: NIST AI RMF, ISO/IEC 42001, organizational AI policies
- Pre-deployment reviews: Model validation, impact assessments, approval workflows
- Risk classification: High/medium/low risk categorization, use case evaluation
These controls stop at deployment.
Once an AI system enters production, most organizations lack architectural mechanisms to:
- Enforce behavioral constraints during inference operations
- Detect drift when system behavior deviates from design intent
- Respond automatically to policy violations or anomalous actions
- Maintain audit trails with decision-level visibility
- Intervene in real-time when high-risk actions are attempted
This gap creates operational risk as autonomous systems interact with enterprise infrastructure, access sensitive data, and influence business processes.
ACR addresses this gap by defining runtime control patterns adapted from proven infrastructure governance architectures.
Like OWASP for application security and MITRE ATT&CK for threat modeling, ACR provides a shared vocabulary and reference architecture for runtime AI governance. It is:
- Framework-agnostic — Works with any model provider, stack, or policy engine
- Standards-aligned — Maps to NIST AI RMF, ISO/IEC 42001, SOC 2
- Implementation-flexible — API gateway, SDK, sidecar, or control-plane service patterns
- Adoption-ready — Maturity levels, adoption guide, citation and badge for implementers (ADOPTION.md)
Whether you are building in-house controls, evaluating vendors, or preparing for audits, ACR gives you a consistent way to design, implement, and assess runtime governance.
ACR is built on three foundational principles:
Policy compliance cannot be verified only at design time. Controls must operate during system execution, enforcing boundaries as the AI system processes requests, accesses resources, and generates outputs.
No single control mechanism is sufficient. ACR defines six complementary control layers that work together to detect, prevent, and respond to governance violations.
ACR does not invent runtime governance—it adapts established infrastructure control patterns (observability, policy enforcement, circuit breakers, least privilege) to the unique characteristics of non-deterministic AI systems.
ACR defines a control plane that mediates between autonomous AI systems and enterprise resources:
┌─────────────────────────────────────────────────────────────┐
│ Enterprise Applications │
│ (CRM, ERP, Data Warehouses, APIs) │
└──────────────────────────┬──────────────────────────────────┘
│
┌──────────────────────────▼──────────────────────────────────┐
│ AI Systems / Agents │
│ (LLMs, Autonomous Agents, AI Workflows) │
└──────────────────────────┬──────────────────────────────────┘
│
┌──────────────────────────▼──────────────────────────────────┐
│ ACR RUNTIME CONTROL PLANE │
│ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Identity & Purpose Binding Layer │ │
│ │ (Service identity, operational scope, capability │ │
│ │ authorization, resource access control) │ │
│ └────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Behavioral Policy Enforcement Layer │ │
│ │ (Input validation, output filtering, action │ │
│ │ authorization, data handling rules) │ │
│ └────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Autonomy Drift Detection Layer │ │
│ │ (Behavioral baselines, statistical monitoring, │ │
│ │ anomaly detection, deviation alerts) │ │
│ └────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Execution Observability Layer │ │
│ │ (Structured telemetry, audit trails, decision │ │
│ │ lineage, compliance evidence) │ │
│ └────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Self-Healing & Containment Layer │ │
│ │ (Automated response, capability restriction, │ │
│ │ circuit breakers, escalation triggers) │ │
│ └────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Human Authority Layer │ │
│ │ (Manual intervention, approval workflows, │ │
│ │ override mechanisms, kill switches) │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────┬──────────────────────────────────┘
│
┌──────────────────────────▼──────────────────────────────────┐
│ Enterprise Systems & Data │
│ (Databases, File Systems, External APIs, Tools) │
└─────────────────────────────────────────────────────────────┘
The control plane enforces governance policy at runtime through six complementary control layers.
See ACR Control Plane Architecture for detailed design.
Every AI system operates with a cryptographically-bound identity tied to specific business purposes and authorized resources. Prevents operational scope expansion without approval.
Governance policies translate into machine-enforceable runtime rules for input validation, output filtering, action authorization, and data handling.
Establishes behavioral baselines and monitors for statistical deviations indicating the system is operating outside intended parameters.
Captures structured telemetry for all AI operations, enabling audit trails, decision reconstruction, and compliance evidence generation.
Enables automated response to policy violations and drift through capability restriction, workflow interruption, system isolation, and escalation.
Preserves human oversight through intervention mechanisms, approval workflows, override capabilities, and defined escalation paths.
ACR is an architectural framework, not a prescriptive implementation. Organizations can implement ACR controls using multiple approaches:
API Gateway Pattern
- Deploy control plane as reverse proxy (Envoy, Kong, NGINX)
- Intercept all model API traffic
- Centralized enforcement, language-agnostic
- Trade-off: Network hop adds latency, single point of failure
SDK/Library Pattern
- Embed control logic in application code
- Wrap model API clients with governance layer
- Low latency, distributed failure domain
- Trade-off: Requires per-language SDK, version management
Sidecar Pattern
- Deploy control plane as sidecar container
- Intercept traffic at network layer (service mesh)
- Infrastructure-enforced, platform-native
- Trade-off: Kubernetes/mesh dependency, complexity
Control Plane Service Pattern
- Separate governance service layer
- Applications call control plane for policy decisions
- Centralized logic, flexible integration
- Trade-off: Additional network calls, latency sensitive
Organizations select patterns based on infrastructure, latency requirements, and operational constraints.
See Implementation Guide for detailed deployment architectures.
ACR complements established AI governance and security frameworks:
- GOVERN: Organizational structures, policies → ACR enforcement mechanisms
- MAP: Risk identification, context → Identity binding, threat modeling
- MEASURE: Metrics, monitoring → Observability, drift detection
- MANAGE: Risk response, mitigation → Policy enforcement, containment
- Clause 6.1 (Risk Management): Risk assessment → Drift detection, threat model
- Clause 8.2 (Operation): Operational controls → Policy enforcement, observability
- Clause 9.1 (Monitoring): Performance monitoring → Telemetry, metrics
- Clause 10.1 (Nonconformity): Corrective action → Containment, incident response
- CC6.1 (Logical Access): Access controls → Identity binding, RBAC
- CC7.2 (System Monitoring): Monitoring controls → Observability, alerting
- CC8.1 (Change Management): Change controls → Drift detection, baselines
- PI1.4 (Privacy): Data privacy → Output filtering, PII redaction
See NIST AI RMF Mapping for detailed control mappings.
ACR applies to autonomous AI systems across enterprise contexts:
- Customer Service Agents: Enforce data privacy, prevent unauthorized discounts, detect tone drift
- Data Analysis Agents: Control database access, prevent SQL injection, monitor query patterns
- Code Generation Agents: Restrict file system access, block credential exposure, detect malicious code patterns
- Document Processing Agents: Enforce PII handling, control external API calls, monitor extraction accuracy
- Multi-Agent Workflows: Coordinate inter-agent authorization, maintain workflow audit trails, contain cascading failures
See ACR Use Cases for detailed scenarios and control applications.
- Framework README - This document
- Control Plane Architecture - Technical architecture
- Runtime Architecture - Deployment patterns
- Production Lifecycle - End-to-end workflow
- Pillars Overview - All six control layers
- Layer 1: Identity & Purpose Binding
- Layer 2: Behavioral Policy Enforcement
- Layer 3: Autonomy Drift Detection
- Layer 4: Execution Observability
- Layer 5: Self-Healing & Containment
- Layer 6: Human Authority
- Telemetry Schema - JSON schema for observability
- Policy DSL Requirements (planned v1.1)
- Drift Detection Requirements (planned v1.1)
- STRIKE Threat Model - AI-specific threats
- NIST AI RMF Mapping - Compliance alignment
- Glossary - Term definitions
- FAQ - Frequently asked questions
- Implementation Guide - Deployment guidance
- Use Cases - Real-world scenarios
ACR is an open framework designed to evolve with the autonomous AI ecosystem.
Contribution areas:
- Control layer refinements and extensions
- Implementation pattern documentation
- Threat model expansion (new attack vectors, mitigations)
- Standards mappings (EU AI Act, sector-specific regulations)
- Case studies and deployment experiences
- Research on drift detection, policy languages, observability schemas
Contribution process:
- Review existing issues and discussions
- Open issue describing proposed contribution
- Discuss approach and alignment with ACR principles
- Submit pull request with documentation updates
- Community review and merge
Code contributions: ACR is an architectural framework—reference implementations are welcome but maintained separately. The core framework repository focuses on specifications, design patterns, and architectural guidance.
See CONTRIBUTING.md for detailed guidelines.
Maintainer: Adam DiStefano (@SynergeiaLabs)
Roadmap:
- v1.0 (Current): Core six-layer architecture, NIST/ISO mappings, threat model
- v1.1 (Q2 2026): Expanded implementation patterns, telemetry schema standardization
- v1.2 (Q3 2026): Multi-model orchestration patterns, federated governance
- v2.0 (2027): Extensions for emerging AI architectures, regulatory compliance modules
See ROADMAP.md for detailed development plan. For project structure, decision-making, and working groups, see GOVERNANCE.md.
Community:
- GitHub Discussions: Architecture questions, use case sharing
- Monthly community calls: Framework evolution, implementation experiences (planned Q2 2026)
- Working groups: Drift detection, policy languages, observability standards
Organizations and vendors implementing ACR-aligned solutions are listed below. To add your implementation, see ADOPTION.md (criteria, maturity levels, and how to submit a listing).
Open Source:
- ACR Control Plane — reference runtime control-plane implementation (FastAPI + OPA + Postgres + Redis) with trust-path enforcement (site).
- [Add community implementations as they emerge]
Commercial:
- [Products implementing ACR patterns can self-register here]
Research:
- [Academic implementations and extensions]
Note: ACR is a framework specification. Listing does not imply endorsement; implementations self-declare alignment. Maturity levels (1–3) are defined in ADOPTION.md.
Apache 2.0 License - see LICENSE
This framework is freely available for use, modification, and distribution. Commercial implementations are encouraged.
If you reference ACR in research, standards, or product documentation, please cite:
@misc{acr-framework-2026,
author = {DiStefano, Adam},
title = {ACR Framework: Autonomous Control \& Resilience for Runtime AI Governance},
year = {2026},
publisher = {GitHub},
journal = {GitHub repository},
howpublished = {\url{https://github.com/SynergeiaLabs/acr-framework}},
version = {1.0}
}Implementers may use the ACR Aligned badge and refer to ADOPTION.md for citation text, logo usage, and maturity levels.
- Website: autonomouscontrol.io
- Documentation: docs
- Adoption & maturity: ADOPTION.md
- Governance: GOVERNANCE.md
- Contributing: CONTRIBUTING.md
- Discussions: GitHub Discussions
- Issues: GitHub Issues
ACR Framework v1.0 | March 2026 | Runtime Governance for Autonomous AI | Cite | Adopt
